The Red Hat Security Response Team has rated this update as havingimportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.

Multiple flaws were found in the location object implementation inThunderbird. Malicious content could be used to perform cross-sitescripting attacks, bypass the same-origin policy, or cause Thunderbird toexecute arbitrary code. (CVE-2012-4194, CVE-2012-4195, CVE-2012-4196)

Red Hat would like to thank the Mozilla project for reporting these issues.Upstream acknowledges Mariusz Mlynski, moz_bug_r_a4, and AntoineDelignat-Lavaud as the original reporters of these issues.

Note: None of the issues in this advisory can be exploited by aspecially-crafted HTML mail message as JavaScript is disabled by defaultfor mail messages. They could be exploited another way in Thunderbird, forexample, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, whichcontains Thunderbird version 10.0.10 ESR, which corrects these issues.After installing the update, Thunderbird must be restarted for the changesto take effect.

4. Solution:

Before applying this update, make sure all previously-released erratarelevant to your system have been applied.